From patchwork Sun Aug  2 17:55:00 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: fff-firewall: Remove ssh firewall on WAN interface
From: Fabian Blaese <fabian@blaese.de>
X-Patchwork-Id: 1415
Message-Id: <20200802175502.451663-3-fabian@blaese.de>
To: franken-dev@freifunk.net
Date: Sun,  2 Aug 2020 19:55:00 +0200

This firewall was introduced as a countermeasure for very slow routers
directly connected to the internet without any firewall.

Our routers have got quite a bit faster since then. Also, a setup like
this is highly uncommon, especially for slower routers.

Therefore this firewall rule is removed.

Fixes: #138
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
---
 .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
index aa04ce9..bb18657 100644
--- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
@@ -1,9 +1,3 @@
-# If an router has a direct internet connection simple attack act as DOS attack
-if [ -n "$IF_WAN" ]; then
-	iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-	iptables -A INPUT -i $IF_WAN -j REJECT
-fi
-
 # Limit ssh to 6 new connections per 60 seconds
 /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
 /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP